Press ESC to close

Analysis of Elpaco: a Mimic variant

Key Detail Information
Threat Actors Unknown
Campaign Overview Attackers accessed the victim’s server via RDP using brute force, then deployed Elpaco ransomware, exploiting CVE-2020-1472 (Zerologon) for privilege escalation.
Target Regions (Or Victims) Unspecified (victim likely a Windows server user)
Methodology Brute force RDP login, exploit CVE-2020-1472, deploy ransomware via Everything library, encrypt files using ChaCha20, RSA-4096 encryption for key.
Product Targeted Windows server systems
Malware Reference Elpaco ransomware variant, utilizes Everything library, mimics svchost.exe.
Tools Used RDP (Remote Desktop Protocol), 7-Zip, Everything library, svhostss.exe, DC.exe, PowerShell.
Vulnerabilities Exploited CVE-2020-1472 (Zerologon) for privilege escalation
TTPs (Tactics, Techniques, Procedures) Brute force (RDP), use of legitimate software (Everything library), file encryption (ChaCha20), code obfuscation, key encryption (RSA-4096).
Attribution No clear attribution provided
Recommendations Strengthen RDP security, patch vulnerabilities, use multi-factor authentication, regular malware scans.
Source Securelist by Kaspersky

Read full article: https://securelist.com/elpaco-ransomware-a-mimic-variant/114635/

Disclaimer: The above summary has been generated by an AI language model

Source: Securelist by Kaspersky

Published on: November 26, 2024

Related posts:

ELPACO-Team Ransomware: A New Variant of the MIMIC Ransomware Family Analysis of Diavol Ransomware reveals possible link to TrickBot gang Germany warns of potential cyber threats from Russia ahead of snap election Play Ransomware Group - Detection and Protection

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Updated with Our Newsletter

Filter Posts by Date

Explore Topics